From 6dae40e7c6c9a4c9c1963e21044269bbd9ec1221 Mon Sep 17 00:00:00 2001 From: henriquetruta Date: Wed, 25 Mar 2015 11:24:38 -0300 Subject: [PATCH] Inhrerit roles project calls on keystoneclient v3 This patch allows the user to perform the Inherited roles from projects API calls through python-keystoneclient. Assign role to user on projects in a subtree PUT /OS-INHERIT/projects/{project_id}/users/{user_id}/roles/{role_id}/inherited_to_projects List user's inherited project roles on project GET /OS-INHERIT/projects/{project_id}/users/{user_id}/roles/inherited_to_projects Check if user has an inherited project role on project HEAD /OS-INHERIT/projects/{project_id}/users/{user_id}/roles/{role_id}/inherited_to_projects Revoke an inherited project role from user on project DELETE /OS-INHERIT/projects/{project_id}/users/{user_id}/roles/{role_id}/inherited_to_projects These same operations regarding groups instead of users are also available. Change-Id: I8396d80f031726bbd23f2cc2bb302a7691f98cba Closes-bug: 1446702 --- keystoneclient/tests/unit/v3/test_roles.py | 121 +++++++++++++++++++++ keystoneclient/v3/roles.py | 4 +- 2 files changed, 123 insertions(+), 2 deletions(-) diff --git a/keystoneclient/tests/unit/v3/test_roles.py b/keystoneclient/tests/unit/v3/test_roles.py index 79ac07d5b..bb76e9ba0 100644 --- a/keystoneclient/tests/unit/v3/test_roles.py +++ b/keystoneclient/tests/unit/v3/test_roles.py @@ -59,6 +59,20 @@ class RoleTests(utils.TestCase, utils.CrudTests): self.manager.grant(role=ref['id'], domain=domain_id, user=user_id, os_inherit_extension_inherited=True) + def test_project_role_grant_inherited(self): + user_id = uuid.uuid4().hex + project_id = uuid.uuid4().hex + ref = self.new_ref() + + self.stub_url('PUT', + ['OS-INHERIT', 'projects', project_id, 'users', user_id, + self.collection_key, ref['id'], + 'inherited_to_projects'], + status_code=204) + + self.manager.grant(role=ref['id'], project=project_id, user=user_id, + os_inherit_extension_inherited=True) + def test_domain_group_role_grant(self): group_id = uuid.uuid4().hex domain_id = uuid.uuid4().hex @@ -85,6 +99,20 @@ class RoleTests(utils.TestCase, utils.CrudTests): self.manager.grant(role=ref['id'], domain=domain_id, group=group_id, os_inherit_extension_inherited=True) + def test_project_group_role_grant_inherited(self): + group_id = uuid.uuid4().hex + project_id = uuid.uuid4().hex + ref = self.new_ref() + + self.stub_url('PUT', + ['OS-INHERIT', 'projects', project_id, 'groups', + group_id, self.collection_key, ref['id'], + 'inherited_to_projects'], + status_code=204) + + self.manager.grant(role=ref['id'], project=project_id, group=group_id, + os_inherit_extension_inherited=True) + def test_domain_role_list(self): user_id = uuid.uuid4().hex domain_id = uuid.uuid4().hex @@ -113,6 +141,23 @@ class RoleTests(utils.TestCase, utils.CrudTests): self.assertThat(ref_list, matchers.HasLength(len(returned_list))) [self.assertIsInstance(r, self.model) for r in returned_list] + def test_project_user_role_list_inherited(self): + user_id = uuid.uuid4().hex + project_id = uuid.uuid4().hex + ref_list = [self.new_ref(), self.new_ref()] + + self.stub_entity('GET', + ['OS-INHERIT', + 'projects', project_id, 'users', user_id, + self.collection_key, 'inherited_to_projects'], + entity=ref_list) + + returned_list = self.manager.list(project=project_id, user=user_id, + os_inherit_extension_inherited=True) + + self.assertThat(ref_list, matchers.HasLength(len(returned_list))) + [self.assertIsInstance(r, self.model) for r in returned_list] + def test_domain_group_role_list(self): group_id = uuid.uuid4().hex domain_id = uuid.uuid4().hex @@ -141,6 +186,23 @@ class RoleTests(utils.TestCase, utils.CrudTests): self.assertThat(ref_list, matchers.HasLength(len(returned_list))) [self.assertIsInstance(r, self.model) for r in returned_list] + def test_project_group_role_list_inherited(self): + group_id = uuid.uuid4().hex + project_id = uuid.uuid4().hex + ref_list = [self.new_ref(), self.new_ref()] + + self.stub_entity('GET', + ['OS-INHERIT', + 'projects', project_id, 'groups', group_id, + self.collection_key, 'inherited_to_projects'], + entity=ref_list) + + returned_list = self.manager.list(project=project_id, group=group_id, + os_inherit_extension_inherited=True) + + self.assertThat(ref_list, matchers.HasLength(len(returned_list))) + [self.assertIsInstance(r, self.model) for r in returned_list] + def test_domain_role_check(self): user_id = uuid.uuid4().hex domain_id = uuid.uuid4().hex @@ -169,6 +231,21 @@ class RoleTests(utils.TestCase, utils.CrudTests): self.manager.check(role=ref['id'], domain=domain_id, user=user_id, os_inherit_extension_inherited=True) + def test_project_role_check_inherited(self): + user_id = uuid.uuid4().hex + project_id = uuid.uuid4().hex + ref = self.new_ref() + + self.stub_url('HEAD', + ['OS-INHERIT', + 'projects', project_id, 'users', user_id, + self.collection_key, ref['id'], + 'inherited_to_projects'], + status_code=204) + + self.manager.check(role=ref['id'], project=project_id, + user=user_id, os_inherit_extension_inherited=True) + def test_domain_group_role_check(self): return group_id = uuid.uuid4().hex @@ -197,6 +274,21 @@ class RoleTests(utils.TestCase, utils.CrudTests): self.manager.check(role=ref['id'], domain=domain_id, group=group_id, os_inherit_extension_inherited=True) + def test_project_group_role_check_inherited(self): + group_id = uuid.uuid4().hex + project_id = uuid.uuid4().hex + ref = self.new_ref() + + self.stub_url('HEAD', + ['OS-INHERIT', + 'projects', project_id, 'groups', group_id, + self.collection_key, ref['id'], + 'inherited_to_projects'], + status_code=204) + + self.manager.check(role=ref['id'], project=project_id, + group=group_id, os_inherit_extension_inherited=True) + def test_domain_role_revoke(self): user_id = uuid.uuid4().hex domain_id = uuid.uuid4().hex @@ -235,6 +327,20 @@ class RoleTests(utils.TestCase, utils.CrudTests): self.manager.revoke(role=ref['id'], domain=domain_id, user=user_id, os_inherit_extension_inherited=True) + def test_project_role_revoke_inherited(self): + user_id = uuid.uuid4().hex + project_id = uuid.uuid4().hex + ref = self.new_ref() + + self.stub_url('DELETE', + ['OS-INHERIT', 'projects', project_id, 'users', user_id, + self.collection_key, ref['id'], + 'inherited_to_projects'], + status_code=204) + + self.manager.revoke(role=ref['id'], project=project_id, + user=user_id, os_inherit_extension_inherited=True) + def test_domain_group_role_revoke_inherited(self): group_id = uuid.uuid4().hex domain_id = uuid.uuid4().hex @@ -250,6 +356,21 @@ class RoleTests(utils.TestCase, utils.CrudTests): group=group_id, os_inherit_extension_inherited=True) + def test_project_group_role_revoke_inherited(self): + group_id = uuid.uuid4().hex + project_id = uuid.uuid4().hex + ref = self.new_ref() + + self.stub_url('DELETE', + ['OS-INHERIT', 'projects', project_id, 'groups', + group_id, self.collection_key, ref['id'], + 'inherited_to_projects'], + status_code=204) + + self.manager.revoke(role=ref['id'], project=project_id, + group=group_id, + os_inherit_extension_inherited=True) + def test_project_role_grant(self): user_id = uuid.uuid4().hex project_id = uuid.uuid4().hex diff --git a/keystoneclient/v3/roles.py b/keystoneclient/v3/roles.py index ce72d70c5..a8d012515 100644 --- a/keystoneclient/v3/roles.py +++ b/keystoneclient/v3/roles.py @@ -50,8 +50,8 @@ class RoleManager(base.CrudManager): params['domain_id'] = base.getid(domain) base_url = '/domains/%(domain_id)s' - if use_inherit_extension: - base_url = '/OS-INHERIT' + base_url + if use_inherit_extension: + base_url = '/OS-INHERIT' + base_url if user: params['user_id'] = base.getid(user)